Reputation: 533
Entra External ID problems disabling auto acceleration and home realm discovery
We've developed an Application that uses Entra External Id as an identity provider in order to manage all our customers users. Users are created via the Graph API. Part of the identity payload that might be helpful:
AccountEnabled = true;
Identities = new List<ObjectIdentity>
{
new() { SignInType = "federated", Issuer = "mail", IssuerAssignedId = email }
};
When these users log in, they should be authenticating against our idp tenant and not be sent to their home tenant. In some cases (always for the same users) they get accelerated to their home entra tenant, which obviously can not authorize for our application.
It also results in a weird auth mixed up authentication page:
When it should look like (we use an otp login flow):
I've followed microsofts guide on how to disable home realm discovery and auto acceleration for our application in hopes that the users would stay in our idp tenant for authentication and authorization:
connect-MgGraph -scopes "Policy.ReadWrite.ApplicationConfiguration", "Application.ReadWrite.All" -tenantId $ourIdpTenantId
$params = @{
definition = @(
'{
"HomeRealmDiscoveryPolicy": {
"DomainHintPolicy": {
"IgnoreDomainHintForDomains": ["*"],
"RespectDomainHintForDomains": [],
"IgnoreDomainHintForApps": [],
"RespectDomainHintForApps": []
}
}
}'
)
displayName = "Home Realm Discovery Domain Hint Exclusion Policy"
isOrganizationDefault = $true
}
New-MgPolicyHomeRealmDiscoveryPolicy -BodyParameter $params
Get-MgPolicyHomeRealmDiscoveryPolicy -Property Id, displayName
$assignParams = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<policyId>"
New-MgServicePrincipalHomeRealmDiscoveryPolicyByRef -ServicePrincipalId "<applicationId>" -BodyParameter $assignParams
}
Afterwards if I run Get-MgPolicyHomeRealmDiscoveryPolicyApplyTo -HomeRealmDiscoveryPolicyId "<policyId>"
I see the expected output, that the app is assigned the above configured HRD.
In order to make sure, that entra has not stored some HRD meta information on the affected users I've deleted and recreated them after creating the HRD policy.
I'm not sure where I went wrong or if I'm missing something obvious. Any feedback or help would be appreciated. How can I force the users to authenticate against our idp tenant?
Upvotes: 1
Views: 115
Answers (1)
Reputation: 46773
SignInType = "federated" means the user must authenticate on another tenant.
If you want to authenticate locally, could you not just use a local account?
e.g.
emailAddress YourExtIDTenant.onmicrosoft.com [email protected]
Upvotes: 1
Related Questions
- Sign in and Sign up with username instead of Email address in Entra External ID
- Entra External Id with Microsoft Identity throwing AADSTS500208 unless user is Global Admin
- How to access User information for Microsoft Entra External ID through code?
- Get AzureAD/EntraID application properties from API call
- Is there a way to restrict which Entra Id users can log into the Azure API Management Developer Portal?